Blizzard Entertainment reported on Thursday that Battle.net, its proprietary game network, has been hacked, and some user information has been stolen, though the company has seen no evidence that accounts or credit cards are at risk.
The stolen information includes email addresses for users outside of China, and for players on North American servers specifically, that data also includes the answers to personal security questions and information relating to mobile and dial-in Battle.net authenticators. This affects players across all of Blizzard's Battle.net properties, including StarCraft II, Diablo III, and World of Warcraft.
In a post on the official Blizzard website, studio president Mike Morhaime said that the company does not think the stolen data would allow anyone to gain access to another users' Battle.net account, nor does it think any credit card data has been accessed.
While Blizzard isn't aware of any compromised accounts so far, the company is urging North American users to change their passwords, and will be prompting all players to update their personal security questions.
This hack closely mirrors a number of earlier attacks on other major game services. For instance, Steam was hacked last November, and of course the PlayStation Network became infamous for its major security breach in mid-2011.
"though the company has seen no evidence that accounts... are at risk."
They said their SRP password verifier database was stolen, which means assuming they're using standard SRP yes, all the accounts (particularly those with dictionary passwords) are at risk from fairly low-cost cracking, as are many of the plaintext passwords.
Please help stamp out inaccurate corporate messaging about *your* personal security, and demand transparency with regards to password and other security protocols.
Heh. Today I got a phishing email that looked like Blizzard accusing me of trying to sell my wow account. Pretty clever to use this news for phishing! So, look out for those!
They said their SRP password verifier database was stolen, which means assuming they're using standard SRP yes, all the accounts (particularly those with dictionary passwords) are at risk from fairly low-cost cracking, as are many of the plaintext passwords.
Please help stamp out inaccurate corporate messaging about *your* personal security, and demand transparency with regards to password and other security protocols.